Cisco today announced a new monitoring tool named Cloud Consumption as a Service that collects network traffic information and presents IT officials with a peek into any use of public-cloud based services within a company.

The service is meant in part to help sniff out the use of “shadow cloud” services – those that are not authorized by IT. Knowing which cloud providers are being used within an organization can help reduce the risk that sensitive information is being exposed to the cloud without safeguards and can help IT officials determine which cloud services to offer in a sanctioned way, Cisco said.

The software can automatically collect traffic log information from firewall and web security gateways, or from network gateways using NetFlow. Cisco does not collect user data itself, unless expressly asked to do so by the customer. CCaaS is offered as a cloud-based service for $1 to $2 per employee per month.

CCaaS not only discovers which cloud services are being used but also which users are accessing them and for how long. It can be setup to alert when unusual activity is detected and can be setup to report redundant cloud services being used. It also has benchmarking capabilities allowing customers to compare their cloud usage to other customers.

IDC analyst Melanie Posey says the tool should not be thought of as a way for IT shops to crack down on illicit cloud usage. Cloud services are seen mostly as a useful service for helping developers build new applications faster. “(CCaaS) is a tool for IT to use in order to get a census of cloud usage – maybe negotiate better per-seat pricing or volume discounts if the cloud service is being widely or heavily used, make sure customer data is being protected and regulatory mandates are being followed,” Posey said.

Monitoring network traffic to provide analytics on cloud usage is not a new concept; other providers offer varying degrees of this service. There’s a budding industry of Cloud Access Security Brokers (CASB). These vendors, who also mostly work as a SaaS, sit between a customer’s network and their public cloud provider to act as a gateway to the cloud. Not only do they provide detailed information about how cloud services are used, but they can restrict some usage of the cloud.

User profiles can define which users have access to what public cloud features, and advanced systems can even monitor what data is flowed into the cloud to make sure, for example, that any sensitive financial data is always encrypted before being sent to the cloud. CCaaS does not provide those services because Cisco said those are redundant to existing Data Loss Prevention (DLP) services many customers already use